CVE-2024-28103
📋 TL;DR
This vulnerability in Ruby on Rails Action Pack causes the Permissions-Policy HTTP header to be omitted from non-HTML responses, potentially allowing cross-origin resource access that should be restricted. It affects Rails applications using configurable Permissions-Policy since version 6.1.0. The risk is that browsers may not enforce intended security policies on certain responses.
💻 Affected Systems
- Ruby on Rails Action Pack
📦 What is this software?
Rails by Rubyonrails
Rails by Rubyonrails
Rails by Rubyonrails
Rails by Rubyonrails
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass Permissions-Policy restrictions on non-HTML resources (like JSON APIs), potentially enabling cross-origin attacks or unauthorized access to sensitive browser features.
Likely Case
Limited security policy bypass for specific non-HTML endpoints, potentially exposing APIs to cross-origin attacks that should be restricted.
If Mitigated
Minimal impact if applications don't rely heavily on Permissions-Policy for non-HTML resources or have additional security controls.
🎯 Exploit Status
Exploitation requires understanding of specific Permissions-Policy configurations and cross-origin attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.7.8, 7.0.8.2, or 7.1.3.3
Vendor Advisory: https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
Restart Required: Yes
Instructions:
1. Update Gemfile to specify patched Rails version. 2. Run 'bundle update rails'. 3. Restart application server. 4. Verify Permissions-Policy headers appear on all responses.
🔧 Temporary Workarounds
Middleware-based Permissions-Policy injection
allAdd custom middleware to ensure Permissions-Policy header is set on all responses regardless of content type.
# Add to config/application.rb or initializer:
config.middleware.use do |app|
Rack::PermissionsPolicy::Middleware.new(app) do |policy|
# Configure your policy here
end
end
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers as additional defense layer
- Use reverse proxy or WAF to inject Permissions-Policy headers on all responses
🔍 How to Verify
Check if Vulnerable:
Check if Permissions-Policy header is missing from non-HTML responses (like JSON API endpoints) while present on HTML responses.Check Version:
rails --version or check Gemfile.lock for 'rails' versionVerify Fix Applied:
Verify Permissions-Policy header appears on all response types after patching using curl: 'curl -I https://your-app.com/api/endpoint'📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests to non-HTML endpoints
- Missing Permissions-Policy headers in access logs for certain content types
Network Indicators:
- HTTP responses without Permissions-Policy headers for non-HTML content types
SIEM Query:
http.response_content_type NOT "text/html" AND NOT http.headers.permissions_policy EXISTS🔗 References
- https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
- https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
- https://security.netapp.com/advisory/ntap-20241206-0002/
